The Hacker News — Cyber Security, Hacking, Technology News

A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines.

Samba is open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.

The newly discovered remote code execution vulnerability (CVE-2017-7494) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010.

"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba wrote in an advisory published Wednesday.

Linux version of EternalBlue Exploit?

According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba.

Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is "Linux version of EternalBlue," used by the WannaCry ransomware.

...or should I say SambaCry?

Keeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities.

Home networks with network-attached storage (NAS) devices could also be vulnerable to this flaw.

Exploit Code Released! (Bonus: Metasploit Module)

The flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability (POC code) to upload a shared library to a writable share and then cause the server to load and execute malicious code.

The vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system.

simple.create_pipe("/path/to/target.so")

However, the Samba exploit has already been ported to Metasploit, a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily.

Patch and Mitigations

The maintainers of Samba has already patched the issue in their new versions Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.

But if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by adding the following line to your Samba configuration file smb.conf:

nt pipe support = no

Once added, restart the network's SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.

While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.

Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability "has potential to be the first large-scale Linux ransomware worm."

Update: Samba maintainers have also provided patches for older and unsupported versions of Samba.

Meanwhile, Netgear released a security advisory for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later.

Another dangerous vulnerability has been discovered in Linux kernel that dates back to 2009 and affects a large number of Linux distros, including Red Hat, Debian, Fedora, OpenSUSE, and Ubuntu.

The latest Linux kernel flaw (CVE-2017-2636), which existed in the Linux kernel for the past seven years, allows a local unprivileged user to gain root privileges on affected systems or cause a denial of service (system crash).

Since the flaw dates back to June 2009, Linux enterprise servers and devices have been vulnerable for a long time, but according to Positive Technologies, it is hard to say whether this vulnerability has actively been exploited in the wild or not.

"The vulnerability is old, so it is widespread across Linux workstations and servers," says Popov. "To automatically load the flawed module, an attacker needs only unprivileged user rights. Additionally, the exploit doesn't require any special hardware."

The researcher detected the vulnerability during system calls testing with the syzkaller fuzzer, which is a security code auditing software developed by Google.

Popov then reported the flaw to kernel.org on February 28, 2017, along with the exploit prototype, as well as provided the patch to fix the issue.

The vulnerability has already been patched in the Linux kernel, and the security updates along with the vulnerability details were published on March 7.

So, users are encouraged to install the latest security updates as soon as possible, but if unable to apply the patch, the researcher advised blocking the flawed module (n_hdlc) manually to safeguard enterprise as well as home use of the operating system.

A new Trojan has been discovered in the wild that turns Linux-based devices into proxy servers, which attackers use to protect their identity while launching cyber attacks from the hijacked systems.

Dubbed Linux.Proxy.10, the Trojan was first spotted at the end of last year by the researchers from Russian security firm Doctor Web, who later identified thousand of compromised machines by the end of January this year and the campaign is still ongoing and hunting for more Linux machines.

According to researchers, the malware itself doesn't include any exploitation module to hack into Linux machines; instead, the attackers are using other Trojans and techniques to compromise devices at the first place and then create a new backdoor login account using the username as "mother" and password as "fucker."

Once backdoored and the attacker gets the list of all successfully compromised Linux machines, and then logs into them via SSH protocol and installs the SOCKS5 proxy server using Linux.Proxy.10 malware on it.

This Linux malware is not at all sophisticated since it uses a freeware source code of the Satanic Socks Server to setup a proxy.

According to the security firm, thousands of Linux-based devices have already been infected with this new Trojan.

Besides this, the same server — belonging to the cybercriminals who distribute the Linux.Proxy.10 malware — not only contained the list of compromised devices but also hosted the control panel of a Spy-Agent computer monitoring software and a Windows malware from a known family of Trojan spyware, called BackDoor.TeamViewer.

This is not the first time when such Linux malware has been discovered.

Over a year ago, ESET security researchers uncovered a similar malware, dubbed Moose, that also had the capability to turn Linux devices into proxy servers that were then used for launching armies of fake accounts on social media networks, including Instagram, and Twitter.

Linux users and administrators are recommended to tighten SSH security by limiting or disabling remote root access via SSH, and to know if your system has already been compromised, keep a regular watch on newly generated login users.

A successful exploit of this CrashDB code injection issue could allow an attacker to remotely execute arbitrary code on victim's machine. All an attacker needs is to trick the Ubuntu user into opening a maliciously booby-trapped crash file.

"The code first checks if the CrashDB field starts with { indicating the start of a Python dictionary," O'Cearbhaill explains.

"If found, Apport will call Python’s builtin eval() method with the value of the CrashDB field. eval() executes the passed data as a Python expression which leads to straightforward and reliable Python code execution."

The flawed code was introduced on 2012-08-22 in Apport revision 2464 and was initially included in release 2.6.1.

O'Cearbhaill has published the copy of his proof-of-concept (PoC) source code on GitHub.

Video Demonstration of the CrashDB Code Injection Attack

The researcher has also shared a video demonstration, showing that it is possible to gain control over the targeted Ubuntu box system using this flaw with the help of a malicious file.

O'Cearbhaill launched Gnome calculator with a simple Apport crash report file and explained that the code could be saved with the .crash extension or with any other extension that's not registered on Ubuntu.

The researcher reported the crash reporting app bug (listed as CVE-2016-9949 and a related path traversal bug as CVE-2016-9950) to the Ubuntu team, and the good news is that the team has already patched the flaw in Ubuntu on December 14 with O'Cearbhaill receiving $10,000 bounty.

Users and administrators of Ubuntu Linux desktops are strongly advised to patch their systems as soon as possible via the usual update mechanism.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

A 5-year-old serious privilege-escalation vulnerability has been discovered in Linux kernel that affects almost every distro of the Linux operating system, including Redhat, and Ubuntu.

Over a month back, a nine-year-old privilege-escalation vulnerability, dubbed "Dirty COW," was discovered in the Linux kernel that affected every distro of the open-source operating system, including Red Hat, Debian, and Ubuntu.

Now, another Linux kernel vulnerability (CVE-2016-8655) that dates back to 2011 disclosed today could allow an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel.

Philip Pettersson, the researcher who discovered the flaw, was able to create an exploit to gain a root shell on an Ubuntu 16.04 LTS system (Linux Kernel 4.4) and also defeated SMEP/SMAP (Supervisor Mode Execution Prevention/Supervisor Mode Access Prevention) protection to gain kernel code execution abilities.

In other words, a local unprivileged attacker can use this exploit to cause a denial of service (crashing server) or run arbitrary malicious code with administrative privileges on the targeted system.

"A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer," Red Hat security advisory explains.

"A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system."

This threat creates a potential danger for service providers to have their servers crashed or hacked through this Linux kernel vulnerability.

"On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug," Pettersson explains.

The vulnerability was patched in the mainline kernel last week, so users are advised to update their Linux distro as soon as possible.